What you don't know about the IT supply chain can hurt you

By William Jackson

Aug 22, 2013

Government increasingly relies on off-the-shelf hardware and software from a complex supply chain supporting the system lifecycle, from research and development through retirement and disposal. Too often, however, agencies lack awareness and control over this global network, the National Institute of Standards and Technology warns.

“This lack of visibility and understanding has decreased the control federal departments and agencies have with regard to the decisions impacting the inherited risks traversing the supply chain and the ability to effectively manage those risks,” NIST said in a draft version of guidelines for supply chain security.

The document is the product of a five-year initiative and draws on earlier NIST guidelines for risk management and security controls. The supply chain gets its own publication because of the threats posed by the increasing complexity and geographical diversity of modern business partnerships.

“Globalization of the commercial [IT and communications] marketplace provides increased opportunities for adversaries to directly or indirectly affect the management or operations of companies in a manner that may result in risks to the end user,” the document says.

Supply chain security has been recognized as an essential element of cybersecurity because of the possibility the software and equipment could be compromised at their sources with back doors or malicious code that could allow adversaries later access to critical IT systems. There also is a threat that counterfeit or other substandard products could jeopardize the safety of systems in which they are used.

Threats from other nations, which might control or influence vendors in the supply chain, can be sophisticated and difficult to detect, but significant risk can come from many sources in the chain, including individuals and companies seeking a competitive advantage.

The risk to any system is determined by the vulnerabilities within it, threats against these vulnerabilities, the likelihood of an exploit and the impact of an exploit. SP 800-161 contains a number of real-world scenarios for evaluating and mitigating risks in the supply chain, including:

The possibility of counterfeit telecom parts introduced because of a company’s decision to discontinue some equipment.

The threat of industrial espionage posed by business partnerships of contractors.

The possibility of malicious code insertion by a foreign government or company.

The unintentional compromise of a system by substituting or replacing some components.

NIST is seeking feedback on the guidelines, particularly on how risk management of the IT and communications supply chain integrates with an agency’s overall risk management process, and how useful the threat scenarios and risk assessment processes are.

Comments on the initial draft of SP 800-161 should be sent by October 15 to scrm-nist@nist.gov with "Comments NIST SP 800-161" in the subject line. A template for submitting comments is provided.